OpenPages finished another strong quarter this week. Big wins in the US, UK and South Africa led to another profitable quarter, with both revenue and bookings up significantly in Q3 over Q2. Other highlights from the quarter included being named as a leader in both the Forrester EGRC Wave and the Gartner MQ as well as in reports by European analyst firms Chartis and Celent. If there were a Sprint Cup for risk management software, OpenPages would be way out in the lead! We’re seeing more and more evidence of what we surveyed at OPEN, namely, that risk management spending is trending up this year, and we’re also starting to see companies prepare for 2010. We’re involved in several opportunities that already have approved budgets for January.

In addition to the discussions summarized in previous posts, the participants at OpenPages Executive ERM Forum discussed risk quantification for operational risk and compliance. Some interesting ideas surfaced during the discussion.

First, participants agreed that the objective of quantification is for relative sizing and prioritization. In other words, you need to be able to relate the relative severity of a compliance risk in one division to an operational risk in another. This helps allocate resources to the right risks in the business.

It’s Easy Being Green

A key challenge that participants discussed was the surfacing of bad news. One participant described their company’s risk rating methodology in which risk are presented in management reports as red/yellow/green. One quarter, a risk report went up through a change of approval, with the risks “getting greener” at each level of approval, because of a reluctance to surface bad news.

One way to address this problem is to have a scale that relates to an external benchmark. One participant discussed ranking capability in relation to either other business units or competitors. You can use objective evidence to back up, or challenge, the rankings in this scale.

Tolerance

Of course, all measurement has to be done in relation to tolerance, which for many companies is difficult to quantify. In many cases, boards don’t have an inherent sense of risk tolerance so management has to give the board specific examples that helps frame the discussion around tolerance. The issue of tolerance when discussed in relation to compliance is a difficult one, and when the general council’s office is involved, the conversation is typically short, as there’s no real tolerance for non-compliance from a legal perspective. Further, some organizations are even concerned about having the discussion in the first place. One executive noted the differences between US and UK law on this topic, where boards in the UK can refer to discussions about risks as evidence of their discharging their governance responsibilities, whereas in the US boards don’t want to be liable for having discussed, but not fully mitigated, a realized risk.

The airline industry was referenced as one in which zero tolerance has to be the goal, as it’s clearly not acceptable to manage against, say, 1 crash per year or even every 10 years. The question become how much do you spend to mitigate the risk of ever having a crash. This led to a discussion of catastrophic events and the notional amount at risk for being in business.

One participant had an interesting perspective on how boards can think about tolerance. Investors build out their portfolios to reflect their risk/reward profile. They invest in particular companies because of the risk/reward characteristics of that particular company. Boards should always ask, “Are we taking the kinds of risks that are priced in by our investors?” In other words, are we following our stated strategy? Framing the discussion in this light puts a different perspective on risk exposure.

When several prominent industry analysts (Gartner, Chartis and Celent) recently published research on operational risk management (ORM), a common theme emerged – ORM is a critical and growing discipline; and OpenPages is a leading software provider in this market.

OpenPages was cited as a leading provider of operational risk management software in the Chartis Operational Risk Management Systems 2009 market analysis report. The report states that, “Successful vendors need to be able to assist in the implementation, training and methodological aspects of ORM,” and identifies OpenPages as a company with particularly strong efforts in this area.

Chartis is forecasting the worldwide ORM market will grow at 6.9% to $1.68 billion by 2013. They expect this growth to be fuelled by among other things:

This month, OpenPages was also recognized as a leading software company in the Enterprise Operational Risk Management Compliance, and Governance Solutions report by independent analyst group, Celent. The report notes that OpenPages is one company that is, “leading the field in terms of depth of functional capabilities.” The report continues that, “OpenPages is particularly strong in its multidomain governance, risk, and compliance management approach.”

Even in the wake of sweeping deregulation of the energy industry, few companies face as much government oversight as utilities. Power generation and distribution companies are subject to a maze of regulatory oversight, including state agencies and the federal agencies, the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC), the Nuclear Regulatory Commission (NRC), the Environmental Protection Agency (EPA) and the Occupational Safety and Health Administration (OSHA).

As Managing Director of Corporate Compliance at Duke Energy, Tom Wiles knows first hand the challenges of operating a business in a regulated industry. Duke Energy – a Fortune 500 company traded on the New York Stock Exchange – is one of the largest electric power companies in the United States delivering energy to approximately 4 million U.S. customers.

In a Compliance Week Webinar titled “Proactive Ethics and Compliance Programs in a Regulated World”, Tom Wiles discusses how a “proactive partnering” and “risk-focused coverage” approach has delivered positive results for Duke. He states that in order to create an effective and efficient enterprise-wide ethics & compliance infrastructure, the Ethics and Compliance Manager needs to establish expectations, communicate expectations, monitor behavior, report results and provide continuous improvement.

If you’d like to learn the key steps your organization can follow to integrate disciplined ethics and compliance management into your business and hear about the value organizations are receiving from effective programs, check out this Webinar.

There are few things more devastating to a chief executive or board of directors than seeing their company’s name splashed across media headlines with allegations of having broken the law. After wondering how it could possibly happen to us, the focus quickly goes to how best to effect damage control, with accompanying thoughts of billions of dollars in fines, penalties, judgments and lost business, as well as personal exposure, and knowing great amounts of time and energy will be directed to dealing with regulators, lawyers, and investigators instead of growing the business.

It’s fascinating to see that, despite reading of such happenings at other companies, somehow many top managements can’t imagine it happening to them. Hence, too often companies put in place a code of conduct and ancillary policies, a whistleblower channel, and perhaps even a compliance officer – all useful elements – but which fall far short of an effective compliance program. And with each new law or regulation, a new policy and related procedures are installed, frequently duplicating existing procedures but still falling terribly short of an effective program. So we see fragmented and duplicative procedures that are administratively burdensome and often outdated, while the significant risks of non-compliance continue to grow.

In contrast, leading companies are proactively dealing with the associated risks. They take a holistic approach, first recognizing that laws and regulations were set forth in the first place as a reaction to damage to someone – customers, employees, investors or communities. And they recognize that companies satisfying related marketplace expectations – with “green” food products, better child safety products, better automobile gas mileage, or more desirable workplace environment – are rewarded with better workers, greater market share, and enhanced profits. With this recognition, they design a compliance program not only to ensure minimum compliance, but to seize related business opportunities geared to the underlying marketplace drivers. The compliance program is built into strategic objectives, and is risk-based and streamlined, with clarity around responsibilities and accountability, and supported by technology with meaningful communication and reporting.

Yes, there is an initial cost to doing this right, and a chief executive will expect to see a rational business case made for establishing such a program. But the benefits are real, and the CEO and board members will sleep better at night knowing an effective compliance program is in place in their company.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.